Why the PCAOB and External Auditors
Should be Concerned about Substantive-Only Audits
This article is long overdue, but still one I have been
dreading to release. I know the audit
firms could come under significant additional scrutiny from regulators such as
the PCAOB. However, there are
significant risks organizations are facing because of poorly designed controls
and inadequate audit procedures. It is
2018, more than 15 years after the passage of the Sarbanes-Oxley act and it is
time to shine the light on areas that board members and investors would be appalled
by if they understood this topic. With this said, here is my article...
In evaluating how to approach an audit, in general, and
specific business processes within any audit, in particular, external auditors
sometimes choose to audit ‘around the system’.
That is, they ignore the way systems are designed and test the given
process or control without regards to how the system is designed. They do so by identifying a population of
transactions related to the process and testing the activity through sampling
as required by their internal standards and consistent with the regulator(s)
that oversee their audits (PCAOB, OCC, various government agencies, etc).
There are consistent gaps in the approach that external audit
firms take that could leave the chosen populations incomplete. Therefore, I will make the argument that a
substantive-only audit is a flawed approach and one that external audit
partners and regulators should be concerned about.
To illustrate this flaw, I will use arguably the most
important control related to the integrity of the financial statements – the
control over manual (non-standard) journal entries. Manual journal entries inherently pose a high
risk to the integrity of the financial statements because they can move any
balance between any account within the trial balance. In my experience, most external auditors
don’t know how to properly identify a population of journal entries that equate
to a manual journal entry.
I identify the following types of journal entries that could
exist within an ERP system:
1.
Manually created in the system within the
general ledger itself
2.
Uploaded from a spreadsheet – manual or
non-standard type
3.
Uploaded from a spreadsheet – created by another
system (i.e. manual interface)
4. Uploaded
from a spreadsheet – looking as if it came from a subledger
5.
Interfaced from another system (i.e. automated
interface)
6.
Transferred from a subledger
7.
Manually created in a subledger and transferred
as if it were a subledger entry
… continued in full article - see below for link ...
Conclusions
Because of the way JE controls are typically designed (i.e.
to ignore subledger JE’s) organizations using Oracle’s E-Business Suite or ERP
Cloud applications would need to configure each system differently in order to
prohibit a user from creating a journal entry from a Source that is not subject
to the manual / non-standard JE controls.
In other words, even in the case where an audit is not placing reliance
on any application controls (i.e. a fully substantive audit), the improper
configuration of a system COULD cause the functional auditors to leave out a
portion of the JE’s that should be in their control population.
… continued in full article - see below for link …
Access the full article
here